Computer systems have been designed to be divided up into partitions. A partition is a complete computer system running an Operating System “OS” image, user applications, etc. separately from other partitions, wherein hardware provides “firewalls” between the partitions. This is generally done to prevent a failure in one partition from propagating a failure in another partition as a result of various forms of corruption stemming from software faults, and/or hardware faults, whether malicious or otherwise. Accordingly, firewalls generally function as barriers, which ignore all communication from a partition which a given partition does not trust, such that any traffic which arrives from an untrusted partition will be discarded.
In implementing these firewalls, many known systems do not allow communication such as interrupts across a partition boundary, because of the potential for corruption. Conversely, however, some problems are created if a system does not allow any communication. Not the least of these problems is that one loses the benefit of the high bandwidth interconnect of a system, given that the interconnect will be essentially shared between the partitions. Also, many previous systems do not allow any interrupts across a partition boundary. This generally limits the functionality of the system because there are many cases where interrupts are truly useful, such as for cases involving communication of indicators representing a situation involving a processor seeking to join a subject partition, or indicators of some other special event. Without interrupts between partitions, software is generally needed to poll for these events. This type of software based approach is much less efficient because, while one might achieve high availability, the system loses most of the benefits of the built in hardware. Accordingly, many systems utilize a scheme which permits some interrupts to pass. Systems which do allow interrupts across a partition boundary might only allow for a special, single, hard wired interrupt. Hard wired approaches are limited in that they do not have the ability to handle interrupt flexibility that systems need for optional performance. A hard wired interrupt can cause problems where an OS needs a particular interrupt number for other purposes. Thus, a single interrupt has the drawback that an infrequent, but expensive-to-handle event, such as having an external processor join a subject partition, would share the same interrupt line as a frequent but less-expensive event, (e.g., such as that used for communicating that a database update is complete), thus incurring the need for yet further software to poll all possible sources to determine which event was indicated. Moreover, once such a system lets some traffic through, the system becomes vulnerable to corruption from other partitions. Hence, if a partition lets some traffic through, the subject partition must necessarily have to trust the other partition at least to some degree in order to provide well-formed transactions which follow the subject rules. Of course, this arrangement and others would allow another partition to propagate a failure of the subject partition, particularly if there is purposely corrupted data present.
It will be seen that the prior art approach to solving the problems relating to communication between partitions is rife with shortcomings. For example, if an absolute communication firewall is established between partitions, one loses the benefit of high bandwidth of the system. Further, if a system partition permits an interrupt to go through, there will be an attendant danger of error propagation between partitions. Thus, there is need for a way to let some types of traffic through in a way that minimizes corruption of a subject partition, even if the other partition contains purposely corrupted data and generates corrupting traffic.
Hence, it is one of the objects of the present invention is to permit a non-trusted processor to interrupt a processor safely.